Tuesday, March 27, 2007

The IT Policy Compliance Group has published a useful research report describing best practices for decreasing the incidence of sensitive data loss. One particularly interesting feature of the report is their comparison of what makes leading firms (i.e., those with the fewest lost data incidents) unique. Specifically, the report shows that leading organizations are uniquely employing multiple IT controls to help protect sensitive data and monitoring and measuring controls and procedures to protect data once every four days. The report also shows that leading firms consider two types of non-core business data (IT security data and regulatory audit and reporting data) to be among their most sensitive data. Thus, the report provides not only good comparative data, but also guidance for improving existing practices, and should be considered recommended reading for any organization interested in reducing data loss.

Thursday, March 22, 2007

Symantec has put out a white paper which discusses some of the compliance issues related to instant messaging. A particularly useful aspect of the paper is a handy (though not exhaustive) list of regulations which are related to corporate instant messaging.

Wednesday, March 21, 2007

How important is it for businesses to safeguard data? This article from ComputerWorld cites a study which pegs the cost at $182 for each record lost or exposed. Of course, costs can easily rise beyond that level, as happened in the case of ChoicePoint, which lost $720,000,000 in market capitalization as a result of a breach which compromised 145,000 customer accounts.

Happily, such costs are not a foregone conclusion, and there are some steps which businesses can take to help limit the risk of a breach. The ComputerWorld article advises measures such as establishing a culture of control, categorizing data in terms of risk, and educating employees about security precautions in order to minimize the chance of losses. While the article's recommendations make sense, since it is simply unrealistic to expect that any security policy will be foolproof I would add damage mitigation measures to the list as well. For example, laws such as California's security breach notification law do not treat all breaches equally, and an organization which designs its data storage policies with those laws in mind will be in better shape than one which simply hopes that a breach will never happen.

Monday, March 12, 2007

While my last post discussed whether federal data security legislation was inevitable, it seems that industry isn't waiting for Congress to act before implementing measures which should be welcome news for anyone concerned with the security of their personal information. First, on the 12th, Seagate Technology announced that a manufacturer would begin selling laptops with built in encryption technology. According to this article, Seagate the new machines

will include a chip that makes it impossible for anyone to read data off the disk, or even boot up a PC, without some form of authentication.

thus (hopefully) making the scares following loss or theft of laptops containing sensitive information a thing of the past. Also, coming fast on the heels of the Seagate announcement, Google has announced that it will revise its data retention policies to protect user privacy. According to this article, Google will begin implementing a policy to anonymize user search records 18-24 months after their creation. When some privacy advocates, such as the electronic privacy information center's executive director, Mark Rotenberg, say that Google's new policy doesn't go far enough, it should be a welcome improvement from Google's current policy of maintaining identifying information in search records indefinitely.

Thursday, March 8, 2007

The possibility of a federal data privacy law being enacted is once again in the news as Bill Gates said that there was a critical need for such legislation at a dinner hosted by the Center for Democracy and Technology. According to this article from CNET the Microsoft co-founder argued that the key was to put in place

explicit policies about where information can be used while at the same time having enough information to track down egregious behavior

and Senator Patrick Leahy stated that he was ready to re-introduce his Personal Data Privacy Act to try and achieve that goal. However, the big issue, which neither Gates nor Leahy addressed, was whether there was a realistic likelihood that any data privacy legislation from Washington would improve data privacy practices, or whether the primary effect of such legislation would be to preempt tough state laws on the books today, such as California's SB-1386. While there is no sure way to know what will happen in Congress, my guess is that, if Washington enacts data privacy legislation, protections such as those afforded by California's law will be a thing of the past.

Wednesday, March 7, 2007

Lobbyists for the financial services industry are expressing concern that the Democratically controlled Congress may produce a data security bill that is more onerous than what the industry had been hoping for, and that gives state attorneys general more enforcement authority than they would like to see. The difficulty that has stymied an agreement on legislation thus far has been the inability of the financial services industry to work out jurisdictional issues with states, as advocated by the House Energy and Commerce Committee. That Committee would subject banks to rules written and enforced by the FTC and state attorneys general, and has reintroduced a bill to that effect that was approved in committee last year. The Financial Services Committee, on the other hand, hopes to work out the jurisdictional issues with the E&C Committee in order to introduce a compromise bill. On the Senate side, the chairman of the Judiciary Committee, Senator Patrick Leahy, has reintroduced a far-reaching data security bill approved by his committee last year, that also defers to the authority of the state attorneys general. Joining this Senate bill are two other Senate bills introduced by Senator Dianne Feinstein, one outlawing the sale of Social Security numbers, and the other a data breach notification bill. The American Bankers Association supports a data security bill, but opposes the involvement of state attorneys general. It is concerned with the regulatory burden of multiple state standards, and has been lobbying for a single national standard. Thus, lobbyists for the financial industry state that the industry would not be disappointed if the bills, as currently written, do not move forward during this session of Congress.

Friday, March 2, 2007

According to this article from CNET, the Department of Justice is pushing for more data retention from Internet service providers. The purported justifications for this new push are combating child pornography and (of course) anti-terrorism. The problem (or one of them) in this is that longer and more extensive data retention is, from a security standpoint, a policy which should be discouraged, not mandated. For example, section 3.1 of the payment card industry data security standard (available here, though you have to agree to a license) mandates that as little cardholder data as possible be retained, since the more data is retained the more data could potentially be stolen and/or used for unauthorized purposes. Whether such concerns will have any impact at all in Washington remains to be seen, but they indicate that the more involvement the government has in determining data retention policies, the more potential risks consumers will face.

Contributors

Other Sites

Privacy Statement

The authors value the privacy of their blog viewers. This site does not currently collect personal identifying information ("PID"), except: (1) to the extent that your browser provides PID, like your e-mail address or the site you linked from, to this site's server; (2) to the extent that you provide PID to this site in an e-mail; and (3) to the extent that you provide PID to this site in a CGI form (for example, when you complete a search request on this site’s “Search this Site” search feature. Your PID will be used only for the specific purpose for which you submitted the PID, except that it may be used in an aggregated form to gauge the popularity of this site. "Cookies" are pieces of information that some web sites transfer to the computer that is browsing that web site, and are used for record-keeping purposes at many web sites. Use of Cookies performs certain functions such as saving your passwords, lists of potential purchases, and your personal preferences regarding your use of the particular web site. This site uses Cookies to gather anonymous traffic data. Your browser is probably set to accept Cookies. However, if you would prefer not to receive Cookies, you can alter the configuration of your browser to refuse Cookies. This site contains links to other sites. The authors and their employers do not share your personal information with those sites and are not responsible for their privacy policies. We encourage you to learn about the privacy policies of those entities. Children under 13 years old are not the target audience of this site. To protect their privacy, the authors prohibit the solicitation of personal information from these children. The authors reserve the right to change this Privacy Policy at any time by posting a new privacy policy at this location. You can e-mail any further questions to wmorriss@fbtlaw.com.

Disclaimer

This site is provided for informational purposes only. The views expressed herein are solely those of the authors and should not be attributed to their employer or their clients. These materials do not constitute legal advice and do not create an attorney-client relationship between you and us. Please note that you are not considered a client until you have signed a retainer agreement and your case has been accepted by us. This site should not be used as a substitute for competent legal advice from a licensed professional attorney in your state. Got it? THIS SITE IS "AS IS." WE MAKE NO REPRESENTATIONS AS TO THE ACCURACY, TIMELINESS OR COMPLETENESS OF THE STUFF HERE AND YOU SHOULD NOT RELY UPON IT. USE AT YOUR OWN RISK. WE EXPRESSLY DISCLAIM ALL WARRANTIES. This may be an advertisement. Your mileage may vary. Past performance does not guarantee future returns. Do not run with scissors.
NOTE: This disclaimer is largely taken from the established and extremely well written blog Patent Baristas.